Patches released by Rockwell Automation for its RSLinx Classic software address a critical vulnerability that can be exploited for denial-of-service (DoS) attacks and possibly for remote code execution.
RSLinx Classic, which Rockwell claims is the most widely installed communications software in automation, is designed for connecting Allen Bradley programmable logic controllers (PLCs) to programming, data acquisition and configuration applications.
Researchers at Tenable discovered that a DLL file used by the product has an input validation issue that can be used to trigger a buffer overflow by passing data in a Forward Open service request to a fixed-size buffer.
This buffer overflow, tracked as CVE-2019-6553, can be exploited to cause the application to enter a DoS condition and crash, and possibly even to execute arbitrary code on the victim’s machine.
The vulnerability can be exploited remotely by sending a specially crafted package to the RSLinx Classic application on port 44818. A CVSS score of 10 has been assigned to the flaw.
According to Rockwell, the security hole affects RSLinx Classic versions 4.10.00 and earlier. The company has released patches for each of the impacted versions, but mitigations are also available.
Users can prevent potential attacks by disabling port 44818, which is typically needed when they want to use unsolicited UDP messages. This port can be disabled by unchecking the “Accept UDP Messages on Ethernet Port” in the tool’s Options screen in the General tab.
Rockwell has pointed out that in RSLinx 4.10 and later this feature has been disabled by default.
Rockwell Automation is currently working on patches for two vulnerabilities affecting its Allen-Bradley PowerMonitor 1000 products. Details of these flaws have been public since November 2018.